Planning for Security - Chapter 5

EISP

Enterprise Info Security Policy

Operational Controls

are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning.

Technical Controls

are the tactical and technical implementations of security in the organization.

Policies should NEVER __________ law.

contradict

For a policy to be effective, it must be able to ____________ that the policy has been made readily available for review by the employee.

demonstrate

Policies _______ how issues should be addressed and technologies used.

direct

When situations classified as ________, plans change as to how to respond; take action.

disasters

Incident Response planning covers:

identification of, classification of , and response to an incident.

SysSPs frequently function as standards and procedures used when configuring or _____________ systems.

maintaing

Primary function of Business Continuity Plan:

occurs concurrently with the DR plan when the damage is major or ongoing, requiring more than simple restoration of info and info resources.

EISP sets strategic direction, scope, and tone for all security efforts within the _________________.

organization

Policies are _________ laws.

organizational

Downsides of current automated response systems may __________ their benefits.

outweigh

Like laws, __________ define what is right, what is wrong, what the penalties are for violating policy, and what the appeal process is.

policies

creation of info security program begins with creation and or review of an organizations info security policies, standards, and ___________.

practices

Incident Planning

predefined responses enable organization to react quickly and effectively to detected incident if: - organization has IR team - organization can detect incident

Goal of info security governance:

provide strategic direction, ensuring objectives are achieved.

Incident response is more __________ than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident.

reactive

What may truly distinguish an incident from a disaster are the actions of the _____________ team.

response

Access Control List

restrict access for a particular user, computer , time, duration, or a particular file.

cold sites

rudimentary services and facilities

SETA

security education, training, and awareness program

Managerial controls

security processes that are designed by strategic planners and implemented by the security administration of the organization.

Governance

set of responsibilities and practices exercised by the board and executive management

Damage Assessment

several sources of info on damage, including system logs, intrusion detection logs, configuration logs and documents, documentation from incident response.

Team Members

should be managers or their representatives from the various communities of interest: business, information technology, and information security.

Security Blueprint

the basis for design, selection, and implementation of all security policies, education, and training programs, and technological controls.

Security Perimeter

the boundary between the outer limit of an organization`s security and the beginning of the outside world.

Strategic Planning

the process of moving the organization toward its vision.

Electronic Vaulting:

the transfer of large batches of data to an offsite facility.

Remote journaling:

the transfer of live transactions to an offsite facility.

Shared site options:

time share, service bureaus, and mutual agreements.

Offsite Disaster Data Storage

to get these types of sites up and running quickly, the organization must be able to move data into the new sites systems.

DMZs

- A buffer against outside attacks is frequently referred to as a demilitarized zone (DMZ). - The DMZ is a no-man`s land between the inside and outside networks; it is also where some organizations place Web servers.

Disaster Recovery planning:

- DRP is planning the prep for and recovery from a disaster - the contingency planning team must decide which actions constitute disasters, and which constitute incidents.

Three levels of Controls:

- Managerial controls - Operational controls - Technical controls

The ISO 27000 Series

- One of the most widely referenced and often discussed security models. - Framework for info security

ACLs regulate the following:

- Who can use the system - What authorized users can access - When authorized users can access the system - Where authorized users can access the system from

Crisis Management:

- actions taken during and after a disaster that focus on people involved, and address viability of business. - disaster recovery personnel must know their roles without any supporting documentation.

The ISSP :

- addresses specific areas of technology - requires frequent updates - contain statement on organizations position on specific issue.

Attacks are classified as incidents if they:

- are directed against info assets - have a realistic chance of success - could threaten confidentiality, integrity, or availability of info resources.

Incident Reaction (3rd phase)

- consists of actions that guide organization to stop incident, mitigate the impact of incident, and provide info for recovery from incident. - actions that must occur quickly: * notification of key personnel * documentation of incident

Three approaches when creating and managing ISSPs:

- create a number of independent ISSP document - create a single comprehensive ISSP document - create a modular ISSP document

Incident Containment Strategies:

- first the areas of affected must be determined - organization can stop incident and attempt to recover control through a number of strategies

Defense in Depth:

- implementation of security in layers - requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls.

Purpose of SETA is to enhance security by doing the following:

- improving awareness of the need to protect system resources. - developing skills and knowledge so computer users can perform their jobs more securely. - Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems.

The sphere of use

- left side of "sphere of security" - illustrates the ways in which people access info.

Incident Detection (2nd phase)

- most common occurrence is complaint about technology, support, often delivered to help desk. - careful training needed to quickly identify and classify an incident. - once attack is properly identified, organization can respond.

Automated Response

- new systems can respond to incident threat autonomously.

Incident Recovery (4th Phase)

- once incident has been contained and control of the systems regained, the next stage is recovery. - first task is to identify the needed human resources and launch them into action. - full extent of the damage must be accessed - organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores data and services of the systems.

Disadvantages of Law enforcement involvement:

- organization loses control once LE takes over case - organization may not hear about case for weeks/months - vital equipment may be tagged as evidence

Business Continuity Planning

- outlines reestablishment of critical business operations during a disaster that impacts operations. - If a disaster has rendered the current location unusable, there must be a plan to allow the business to continue to function.

Project Manager

- possibly a midlevel manager or even the CISO - must lead the project and make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed to reach the goals of the project.

The sphere of protection

- right side of "sphere of security" - illustrates that between each layer of the sphere of use there must exist a layer of protection.

Benefits of Law enforcement involvement:

- the agencies may be much better able to process evidence than a particular organization

Spheres of Security

- the foundation of the security framework - illustrate how info is under attack from a variety of sources.

Continuity Strategies:

- there are a number of strategies for planning for business continuity - determining factor in selecting between options is usually cost.

Key areas of crisis management include:

- verifying personnel head count - checking the alert roster - checking emergency info cards

Law Enforcement Involvement

- when incident at hand constitutes a violation

Security Awarenes

-One of the least frequently implemented, but most beneficial. - This program is designed to keep info security at the forefront of users` minds.

Five common testing strategies are presented here:

1. Checklist 2. Structured walk-through 3 Simulation 4. Parallel 5. Full Interuption

2 types of IDPSs:

1. Host-based IDPSs 2. Network-based IDPSs

Shaping policy is difficult because policy must:

1. Never conflict with laws. 2. Stand up in court, if challenged 3. Be properly administered through dissemination and documented acceptance.

IR consists of the following four phases:

1. Planning 2. Detection 3. Reaction 4. Recovery

Five goals of Info Security Governance

1. Strategic Alignment 2. Risk management 3. Resource Management 4. Performance measures 5. Value delivery

5 stages of the BIA:

1. Threat attack identification and prioritization 2. Business unit analysis 3. Attack success scenario development 4. Potential damage assessment 5. Subordinate plan classification.

When an organization considers involving law enforcement, there are several questions that must be answered.

1. When should the organization get law enforcement involved? 2. What level of law enforcement agency should be involved - local, state, or federal. 3. What happens when a law enforcement agency is involved ?

EISP 4 main elements:

1. an overview of the corporate philosophy on security. 2. Information on the structure of the info security organization and individuals who fulfill the info security role. 3. Fully articulated responsibilities for security that are shared by all members of the organization ( employees, contractors, consultants, partners, and visitors ) 4. fully articulated responsibilities for security that are unique to each role within the organization

The EISP typically addresses compliance in the following two areas:

1. ensures requirements are met to establish program and assign responsibilities therein to various organizational components. 2. use of specified penalties and disciplinary action.

Dedicated recovery site options:

1. hot sites. 2. warm sites. 3. cold sites.

Systems-specific policies fall into two groups:

1. managerial guidance 2. technical specifications

What three things are needed for an organization to meet info security needs of various communities of interest?

1. policy 2. blueprints 3. planning

What are the seven components of an ISSP ?

1. statement of policy 2. authorized access and usage of equipment 3. prohibited usage of equipment 4. systems of management 5. violations of policy 6. policy review and modification 7. limitations of liability.

Firewalls

A device that selectively discriminates against info flowing into or out of the organization.

Testing:

A plan untested is not a useful plan.

Security Education

Everyone in an organization needs to be trained and made aware of information security, but not every member of the organization needs a formal degree or certificate in info security.

To detect unauthorized activity within the inner network or on individual machines, organizations can implement __________________.

IDPSs

Storage:

Information in the IR plan is sensitive and should be protected.

IDPSs

Intrusion Detection and Prevention Systems

ISSP

Issue-Specific Security Policy

Security policies are the _______ expensive controls to execute, but most difficult to implement properly.

least

Mission

written statement of an organizations purpose.

Proxy Servers

Performs actions on behalf of another system.

Policy Management

Policies must be managed as they constantly change

The policy champion and manager is called the ____________ _________________.

Policy Administrator

Security Training

Provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

SysSP

Systems Specific Policy

Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as _________________.

Redundancy

Format and Content:

The IR plan must be organized to support quick and easy access to required information.

mutual agreements

a contract between two or more organizations that specifies how each will assist the other in the event of a disaster.

Champion

a high level manager to support, promote, and endorse the findings of the project. This could be the CIO, or ideally the CEO.

Database Shadowing:

a process that duplicates data in real time using databases at a remote site or to multiple servers.

Incident Response Plan

addresses the identification, classification, response, and recovery from an incident.

Disaster Recovery Plan

addresses the preparation for and recovery from a disaster, whether natural or man-made.

service bureaus

an agency that provides a service for a fee

Communities of interest must consider policies as the _______ for all info security efforts.

basis

Policy:

course of action used by organizations to convey instructions from management to those who perform duties.

Managerial guidance SysSPs

created by management to guide the implementation and configuration of technology as well as to address the behavior of people in the organization in ways that support the security of info.

Business Continuity Plan

ensures that critical business functions continue if a catastrophic incident or disaster occurs.

Primary function of Incident Response:

focuses on immediate response, but if the attack escalates or is disastrous the process moves on to disaster recovery and the BC plan.

Primary function of Disaster Recovery plan:

focuses on restoring systems at the original site after disasters occur, and as such is closely associated with the BC plan.

Spheres of security :

foundation of the security framework

warm sites

fully operational hardware but software may not be present.

hot sites

fully operational sites

Selection or creation of info security architecture and the development and use of a detailed info security blueprint creates a plan for ________ success.

future

Governance Framework

in order to effectively implement security governance, follow an established framework which defines the responsibilities of key players

Business Impact Analysis (BIA)

investigation and assessment of the impact that various attacks can have on the organization.

time-share

is a hot, warm, or cold site that is leased in conjunction with a business partner or sister organization.

Contingency Plan

is prepared by the organization to anticipate, react to, and recover from events that threaten the security of info and info assets in the organization and, subsequently, to restore the organization to normal modes of business operations.

Vision

written statement about the organizations goals - where will the organization be in five years ?